- Add common-nixos.nix (timezone, locale, git/fastfetch) imported by every
NixOS host, and laptop.nix (systemd-boot, sway, dvorak, iwd, firewall)
imported by X1 and MBP. Strip the nixos-generate-config boilerplate from
both machine configs and reduce them to host-specific settings.
- Enable the firewall on the laptops (was disabled); X1 opens 22 next to
its sshd.
- Pin nixpkgs input to github:nixos/nixpkgs/nixos-26.05 for consistency;
lock rev unchanged (still b51242d).
- Drop unused module arguments.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Document the host table, rebuild commands, and that the MBP Asahi firmware
dir is gitignored and must be populated out-of-band before that host builds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The eval loop covered only the NixOS hosts, so the nix-darwin host could
break unnoticed. Add an eval step for darwinConfigurations.lyrathorpe-mac.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
WINIT_UNIX_BACKEND was set to x11, forcing winit apps onto XWayland in a
Wayland session, contradicting the rest of the block. Set it to wayland,
normalise the heredoc indentation, and drop the unused `options` arg.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
historySubstringSearch.enable already wires the home-manager module and
keybindings; the oh-my-zsh plugin of the same name was redundant.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
peaksea is neither in the plugin list nor packaged in nixpkgs vimPlugins,
so `colorscheme peaksea` errored on startup and vim fell back to the
default scheme. Add catppuccin-vim and select catppuccin_mocha (matching
the swaylock/dunst palette); drop the dead peaksea packadd guard.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The NixOS-WSL store is a read-only VHD whose files are owned by nobody
(65534), not root. programs.ssh.systemd-ssh-proxy.enable (default true)
adds `Include <systemd>/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf`
to /etc/ssh/ssh_config. OpenSSH permission-checks Include'd config files
and rejects any not owned by root or the caller, so the nobody-owned
include fails with "Bad owner or permissions" and breaks ssh/git for
every command.
Disable it on the WSL host: the proxy plugin only serves `ssh unix/…` /
`vsock` connections to local machined VMs, which WSL does not use. Other
hosts keep the default (root-owned store, include works).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the installed App Store apps to homebrew.masApps so mas manages them declaratively: Amphetamine, Apple Configurator, Game Controller Tester, Keynote, Numbers, Pages, PDFgear, PL2303Serial, WireGuard.
Set home-manager.backupFileExtension = "backup" on the NixOS and Darwin base modules. Existing machines carry hand-written ~/.zshrc and ~/.zshenv that home-manager would refuse to overwrite, aborting activation. With a backup extension, the originals are saved as .backup and activation proceeds. The oh-my-zsh setup is already declared in lyrathorpe/home/shell.nix, so the generated files supersede the old ones.
Migrate the prior Homebrew package set onto the nix-darwin host. Leaf CLI formulae move to nixpkgs (environment.systemPackages); pure library deps are dropped since nix resolves them transitively. firefoxpwa and version-pinned llvm@21/lld@21/python@3.14 stay on brew. All GUI apps remain brew casks, since nixpkgs darwin GUI support is unreliable.
Add the nix-homebrew input and darwin module so the Homebrew prefix is installed and owned declaratively (no manual bootstrap), with enableRosetta for x86_64 formulae on Apple Silicon and user = host username.
Set homebrew.onActivation.cleanup = zap so the taps/brews/casks/masApps lists are authoritative: anything not declared is removed on activation.
Turn on nix-darwin's homebrew module with empty taps/brews/casks/masApps lists to fill in, onActivation autoUpdate+upgrade, and cleanup=none (manual formulae left intact; flip to zap for fully authoritative lists). Set system.primaryUser so brew activation runs as the host user.
Add the nix-darwin input (nix-darwin-26.05, follows nixpkgs) and a mkDarwinHost mirroring mkHost: shared commonModule (nixpkgs/nix settings) is factored out and reused, home-manager is wired via darwinModules, and identity is threaded through specialArgs.
New darwinConfigurations.lyrathorpe-mac (aarch64-darwin) reuses the cross-platform ./lyrathorpe/home modules (shell, git, editor); Linux-only sway/desktop modules are excluded. Build with: darwin-rebuild switch --flake .#lyrathorpe-mac.
Add path filters so the workflow triggers only when *.nix files, flake.lock, or the workflow itself change, skipping CI for docs/markdown/unrelated edits.
CI workflow gates on nixfmt formatting and evaluates all three host toplevels (aarch64 evaluates without emulation; no full builds in CI).
renovate.json enables the nix manager and weekly lockFileMaintenance for flake.lock, plus grouped github-actions updates (Renovate matches .gitea/workflows). A self-hosted Renovate workflow runs it on Gitea, since Gitea has no built-in Renovate; it needs a RENOVATE_TOKEN secret.
Move ./emmathorpe -> ./lyrathorpe (git mv preserves history) and rename the MBP/X1 nixosConfiguration names to lyrathorpe-mbp / lyrathorpe-x1c. The EDaaS host keeps its emmathorpe-edaas name and Emma Thorpe identity; it still imports the shared (renamed) config dir.
Derivation outputs are byte-identical to before; pure relabel.
Thread username and fullName per host through the flake host table and specialArgs / home-manager.extraSpecialArgs, so user.nix and git.nix derive identity instead of hardcoding it.
MBP and X1 now provision user lyrathorpe (Lyra Thorpe). EDaaS retains emmathorpe (Emma Thorpe) and its wsl.defaultUser; work commit email is unchanged.
* fix: configure docker for EDaaS WSL VDI
Enable rootful docker with the Docker Desktop proxy patch, add emmathorpe to the docker group, disable resolvconf and enable nix-ld.
* feat: flesh out work module and pin claude-code to nixpkgs unstable
Migrate git config to the settings option, fix the signing key path and email, add argo-rollouts/google-cloud-sdk and other tooling, and enable go. claude-code is sourced from the nixpkgs-unstable overlay.
* chore: update personal git, delta and editor config
Move git config to the settings option, switch to the standalone programs.delta module with git integration, add commitizen, and treat Jenkinsfiles as groovy.
* refactor: dedupe flake with mkHost and add nixos-wsl flake input
Extract a shared mkHost helper to remove duplicated home-manager scaffolding, add nixos-wsl as a flake input so the EDaaS host builds without --impure, source claude-code via a nixpkgs-unstable overlay, and expose a nixfmt formatter output.
* style: format nix files with nixfmt
* refactor: migrate to stable nixpkgs 26.05 and track upstream asahi flake
Pin nixpkgs to nixos-26.05 and home-manager to release-26.05; claude-code stays bleeding-edge via the nixpkgs-unstable overlay.
Centralize allowUnfree and experimental-features in mkHost and pin nix.registry/nixPath to the flake nixpkgs.
Replace the vendored apple-silicon-support module with the nixos-apple-silicon flake input, dropping ~8.8k lines of vendored code.
Fix stable-induced package renames: neofetch -> fastfetch, noto-fonts-emoji -> noto-fonts-color-emoji.
* refactor: adopt flake-parts with host table and scoped unfree
Wrap outputs in flake-parts.lib.mkFlake, replacing forAllSystems boilerplate with systems + perSystem. Drop the unused self argument.
Collapse the three mkHost calls into a hosts attrset mapped with lib.mapAttrs; adding a machine is now a single table entry.
Replace blanket allowUnfree with an allowUnfreePredicate allowlist (claude-code, lens). Add devShells.default (nixfmt, nil, git) and a checks.formatting nixfmt --check gate.
* docs(flake): annotate inputs, mkHost, host table and perSystem
Explanatory comments only; no eval change (drvPath identical).
* refactor(home): split home-manager into focused modules; clarify desktop scope
Break the home.nix monolith into emmathorpe/home/{default,shell,git,editor,desktop}.nix. The host table now composes desktop.nix onto graphical hosts only, so element-desktop, the Sway session vars and cursor theme are no longer installed on the headless WSL host.
Consolidate chat apps: legcord moves from user.nix (system) into the home desktop module alongside element-desktop. The tty1 'exec sway' autostart moves into desktop.nix so it never runs on headless hosts.
Desktop functionality: add xdg.portal (wlr + gtk) in swaywm.nix to enable screen sharing and native file pickers for Element and Firefox under wlroots.
* feat(desktop): declarative Sway config with idle-lock, notifications and bar
Add emmathorpe/home/sway.nix managing wayland.windowManager.sway (package = null, reusing the system Sway wrapper) plus swaylock, swayidle, dunst and an i3status-rust bar. home-manager's systemd integration wires sway-session.target so the swayidle/dunst user services start with the session.
swayidle locks after 5 min, powers outputs off after 10, and locks before sleep. Media/brightness keys use wpctl (pipewire) and brightnessctl; the launcher is sway-launcher-desktop in a floating foot window; keyboard is set to dvorak to match the console.
Move swaylock/swayidle/dunst/i3status-rust out of the system programs.sway extraPackages (now home-managed). Add security.pam.services.swaylock on the MBP host so the lock screen can authenticate (X1 already had it with fingerprint auth).
---------
Co-authored-by: Emma Thorpe <emma.thorpe@citrix.com>
Move git config to the settings option, switch to the standalone programs.delta module with git integration, add commitizen, and treat Jenkinsfiles as groovy.
Migrate git config to the settings option, fix the signing key path and email, add argo-rollouts/google-cloud-sdk and other tooling, enable go, and wire a dedicated nixpkgs-unstable input so claude-code tracks unstable independently of the pinned nixpkgs.
Enable rootful docker with Docker Desktop proxy patch, add emmathorpe to the docker group, disable resolvconf and enable nix-ld so the WSL distro behaves.
Emma Thorpe
lyrathorpe
renovate-bot